The authors will respectively treat the wider political-strategic aspects of NATO in this domain and the doctrinal technical side of the Alliance’s cyberpolicy. Leaving aside the platitudes on cyberspace, NATO is in the typical position of a thalassocracy, namely a great power extending its power to the sea, that has an inherent interest in keeping a common good open to access and free for all. If one thinks that during the XVI-XVII century explorers navigated the sea and today one navigates the cyberspace, the comparison makes perfectly sense. NATO not by chance takes its name from an ocean and its tenets apply rather neatly to the needs of this relatively new dimension. Cyber-defence is part of the core task of collective defence.
Its fundamental interest, in the words of Deputy Secretary General Rose Gottemoeller: "NATO’s approach to cyber space embraces our overall mandate and principles and supports our broader deterrence and defence mission. Moreover, NATO promotes a stable and peaceful cyberspace and I do want to underscore that also for this audience: our goal is to nurture, develop and strengthen a stable and peaceful cyberspace."
NATO contributes to this goal in three ways: by reaffirming the rule of law and exercising restraint; supporting national resilience and fostering deeper cooperation. Rule of law is essential for keeping free and accessible a common for all users, including political adversaries or counterparts. It is not something naïve, it is exactly what Saint Thomas More in the drama "A man for all seasons" was asserting: give the Devil the benefit of law, because if the last law would be down, where one could shelter from the Devil turning round? Laws are for the safety of all, starting from law abiding partners.
In fact in 2014 NATO agreed that international law, including international humanitarian law and the UN charter, will apply in cyberspace. This principle (reaffirmed in 2016, Warsaw summit) entails the principle of restraint. NATO is a strictly defensive alliance and it wants to avoid unintended consequences, avoiding as much as possible the possibility for miscalculation given cyberspace’s intrinsically anonymous and asymmetrical nature.
This means that deterrence is this dimension is not the same as for classical nuclear deterrence. In the latter case, massive devastation is an intended consequence because the objective is to avoid the use of these weapons by the certainty of a mutual assured destruction. Antimissile systems and miniaturised warheads complicate the calculus, hoping that the end result will be the same: avoiding a nuclear exchange. Treating hostilities in cyberspace is more akin to COIN (Counterinsugency) where legitimacy, boots on the ground, beat cop, flexibility and other components have historically helped in quelling the problem and the “crush them” approach has proven deeply counterproductive. Supporting national resilience is part of this necessary persisting multi-level effort. The Cyber Defence Centre of Excellence in Tallinn is one of the tools, born out of the spectacular strategic failure of a massive cyber-attack by allegedly Russia-friendly actors against Estonia. Estonia was tactically blocked for three long days, but its political resolve was strengthened and NATO was spurred into action. Another tool is the Cyber Defence Pledge (2016), helping member states to allocate efficiently resources, and that will be reviewed in the next Brussels summit.
Finally cooperation is one of the strongest assets of the Alliance, not only among the 29 allies (including special points of contact and the NATO Computer Incident Response Capability - NCIRC), but also with more than forty partnerships with non-member countries and with international organisations such as the European Union (Technical Agreement, February 2016), in addition to industry (NATO Industry Cyber Partnership) and academia.
Taking now a more technical and doctrinal angle, one should remember that NATO’s development was not so sudden as it might appear. Ever since the appearance of the first MORRIS Worm in 1988 to the accident in Estonia in April 2007, computer security was relegated to a secondary position with respect to physical security. Only in October 2010 with the discovery of STUXNET malware, which affected the development of the Iranian nuclear programme, decision makers began to realise that the cyberspace has become a dangerous offensive ground that could be exploited at government level.
The Atlantic Alliance has undertaken several successive steps to counter this threat, trying to create a shared defence policy. NATO adopted and approved an action plan during the summit in Wales in September 2014 and subsequently updated it in 2017. The policy beyond stating the mentioned tenets of collective defence and international law, indicates as main priority the protection of the communication systems owned or managed by the Alliance, at the same time it also establishes the procedures of assistance to the allied countries and the integration of cyber defence in the operational planning. These policies are complemented by an action plan that aims at concrete objectives on topics such as education, training, exercises and partnerships.
At the 2016 Warsaw summit, the Allies therefore committed themselves to strengthening collective and national structures and recognised that cyberspace is a domain of operations in which NATO must defend itself, just as in land, sea, air domains, and by integrating cyber defence into intelligence.
In the context of Smart Defense programs in the IT defence, the Malware Information Sharing Platform (MISP) and the Multinational Cyber Defense Education and Training (MN CD E & T) project were integrated. To achieve this goal, NATO organizes annual exercises such as the Cyber Coalition Exercise and the Crisis Management Exercise (CMX) and raising its education and training capabilities through the structure provided by Estonia with the Cyber Range. Recently, representatives of the European Community and NATO (February 2018) reached a collaboration agreement to strengthen and share IT defences.
As a personal opinion, given the recent political and technical innovation, the inequality of training and resources, the structural differences of the communication systems both of NATO allies and of the European Community nations, it will be difficult to achieve full operation and integration before some years. Currently the only staple of NATO’s cybernetic operations is the Center of Excellence (Ccdcoe) in Estonia which, with the publication of the "Tallinn Handbook on International Law applicable to the cyber war" and its 95 rules laid the foundations for the future policies of the Alliance.